Security

Reply
MVP Expert

Assigning Roles from AD Groups

I assign a number of Roles to a userid based upon the AD group it is a member of. Got this working for a number of Roles but one refuses to be assigned, even though I know the userid is a member of the group.

 

1). Authentication of  userid performed by a service  that has an authentication source with a  base DN of

 

ou=users,ou=uoy,dc=its,dc=york,dc=ac,dc=uk

Search scope of one

 

2).  Service authorisation also  performed and another authorization source with a slightly different base DN has been added to the above one.

 

ou=inst,ou=groups,ou=uoy,dc=its,dc=york,dc=ac,dc=uk

Search scope of one

 

 

In the AD tree, amongst other things at the ou=inst,ou=groups,ou=uoy,dc=its,dc=york,dc=ac,dc=uk level I’ve got

 

cn=testclearpass - a test AD group with my userid in it

 

and

 

cn=g0790stf - an  AD group with all the network team userids in it

 

 

I have 2 roles defined

UoY Network Team and UoY DPS Staff

 

UoY Network Team  is assigned via the statement

 

(Authorization:UoY AD Authentication:memberOf  CONTAINS  cn=g0790stf,ou=Inst,ou=Groups,ou=UoY,DC=its,DC=york,DC=ac,DC=uk

OR (Authentication:Username  EQUALS_IGNORE_CASE  jh1802

OR (Authentication:Full-Username  CONTAINS  Alex.Sharaz

OR (Authentication:Full-Username  CONTAINS  ms1691

OR (Authentication:Full-Username  CONTAINS  rf1

 

UoY DPS Staff is assigned via the statement

 

(Authentication:Username  EQUALS_IGNORE_CASE  rjs502

OR (Authorization:UoY AD Authentication:memberOf  CONTAINS  cn=testclearpass,ou=Inst,ou=Groups,ou=UoY,dc=its,dc=york,dc=ac,dc=uk)

 

Other statements include

 

(Authorization:UoY AD Authentication:memberOf  EQUALS  CN=g0087stf,OU=Inst,OU=Groups,OU=UoY,DC=its,DC=york,DC=ac,DC=uk)

 

To map role “IT Services Staff”

 

 

(Authorization:UoY AD Authentication:memberOf  CONTAINS  cn=g0000stf,ou=Inst,ou=Groups,ou=UoY,DC=its,DC=york,DC=ac,DC=uk)

 

To map role “Staff”

 

Authorization:UoY AD Authentication:AccountStatus  NOT_EQUALS  66050

AND (Authorization:UoY AD Authentication:AccountStatus  EXISTS   )

 

To check if the AD Account is. enabled

 

Running a “Role Mapping” policy simulation using a role generation policy that has the above  statements in it gives me a result that is  as shown below

 

“IT Services Staff, Staff, UnQuarantined, UoY AD Account Enabled, UoY Network Team, UoY User, [User Authenticated]”

 

So all of the role assignments work except for the “UoY DPS Staff” one

 

I watched a colleague put create the group, set the same access rights as other groups and add my userid to it

 

How can I debug what’s going on ? 

 

I know I’m mixing and matching upper/lower case and use of contains or equals but the other statements work

Rgds

Alex

 

Super Contributor II

Re: Assigning Roles from AD Groups

If I read correctly you are using two different authentication sources to the same AD, why? This will result in two ldap queries.

Next to this, you can use the group parameter instead of the memberof. Groups will return only the group name and not the full dn.

In the access tracker you can see all the groups fetched from the AD. Have you checked if the group you use is listed?

By default ClearPass will cache ldap data for 10 hours. So it can take up to 10 hours before ClearPass assign the correct role or you should clear the cache.

Btw, not every account has the 66050 if it is disabled

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: